Sptoolkit - A Simple Phishing Toolkit

The spt project ( sptoolkit ) is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

spt ( sptoolkit )was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability. If the spt project sounds interesting to you, please consider downloading it for evaluation in your own organization. Feedback is welcomed and always appreciated.

Basic reuirements for sptoolkit

• Apache,
• PHP
• MySQL

Feature list of sptoolkit 

• Vast improvements in the editing functionality for templates and education packages. Major changes include: two different editors to choose from (the oroginal spt text editor and TinyMCE), copy templates or education to new version and then customize them.
• Added education completion tracking, now you can determine if your targets completed the assigned education in a campaign.
• Support for the Google and TinyURL URL shortener services. Now your phishing emails can have shortened URLs, making them harder to detect.
• Support for sending SMTP using SSL secured connections.
• Enhancements to the viewing of campiang information including SMTP relay used and destination URL used.
• Initial support for using spt in SSL/TLS secured installations, code updates to prevent insecure content warnings.
• All forms now generate inline errors with entered value retention, allowing easy correction of incorrect or missing items without requiring all information to be entered again.
• Email tracking times are now more accurate when viewing campaign information.
• Most items in the Quick Start module now feature links allowing you to quickly access the desired location in the spt UI.
• Enhancements to the browser detection script for more information on what you need vs. what you have.
• Many security and usability issues fixed.
• Additional improvements in authentication and session management security.

Download sptoolkit

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Sendrawpdu : iPhone SMS spoofing tool Released

A French hacker has released a tool capable of sending SMSes with spoofed sender details on the iPhone 4. The sendrawpdu command line interface tool allows users to customise the reply number on SMSes and could be ideal for phishing attacks.

Researcher revealed an SMS spoofing flaw that affects every version of Apple’s mobile OS. Using the flaw, hackers could spoof their identities via text and send messages asking for private information (by pretending to be from a users’ bank, for example), or direct users to phishing sites.

pod2g highlights several ways in which malicious parties could take advantage of this flaw, including phishing attempts linking users to sites collecting personal information or spoofing messages for the purposes of creating false evidence or gaining a recipient's trust to enable further nefarious action.

In many cases the malicious party would need to know the name and number of a trusted contact of the recipient in order for their efforts to be effective, but the phishing example shows how malicious parties could cast broad nets hoping to snare users by pretending to be a common bank or other institution.

French hacker has published on his blog that he developed iPhone SMS security app and called it Sendrawpdu. The tool is designed for iPhone 4, and can be downloaded free of charge from the service repository Github where you can find the app.

Download Sendrawpdu

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Phemail.py: Phishing EMail Social Engineering Tool

Social Engineering is defined as the process of inducing people into giving away access or confidential information. From a security consultant point of view this topic is not new and there are many tools which can be used against the target.

phemail.py - Phishing EMAIL. The main purpose of this tool is to prove who clicked on the phishing email without attempting to exploit the web browser but collecting as much information as possible. For this reason it will be 100% undetectable by any antivirus and it will obtain sufficient data to have an initial proof of concept for the client.

Steps to use Phemail.py:

1. Find corporate email addresses: Phemail has an option for harvesting corporate email addresses and save them to a file. Phemail.py leverages Google to search for LinkedIn specific corporate e-mail targets.
2. Create a phishing email template: You get to create your own custom phishing templates. Do not forget to add the string “{0}” in each URL as the script will replace this string with the correct URL automatically.
3. Host/upload a single PHP file: This file contains JavaScript code which attempts to collect web browser information and save it in a log file in /tmp directory.
4. Run the php file as shown in the following example: # phemail.py -e test-emails.txt -f "Tax report " -r "Tax Report " -s "Important information about your tax" -b body.txt -w http://YOUR-WEBSITE.com

Download Phemail.py

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Android Network Spoofer - Pwn WiFi Networks

Developed by Digitalsquid, Network Spoofer is a powerful networking app for Android devices that lets you spoof people on your network. It comes with over a dozen “hacks” such as redirecting all websites to your chosen URL, redirect all YouTube videos to the famous Never Gonna Give You Up music video, blur all images on websites, flip images, change all images on a website to a troll face etc.

Network Spoofer lets you change websites on other people’s computers from an Android phone. After downloading simply log onto a Wifi network, choose a spoof to use and press start.Please note that there is no intention for Network Spoofer to include any malicious features. This application is a fun demonstration of how vulnerable home networks are to simple attacks, with permission of the network owner - DO NOT attempt to use Network Spoofer on any corporate or other non-residential networks (eg. at school, university). It becomes very obvious when Network Spoofer is being used on a Network, and use of Network Spoofer will be considered malicious hacking by network administrators.

Download Network Spoofer or Android Market

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Ghost-phisher - GUI suite for phishing and penetration attacks

Ghost Phisher is a computer security application that comes inbuilt with a Fake DNS Server, Fake DHCP Server, Fake HTTP server and also has an integrated area for automatic capture and logging of HTTP form method credentials to a database.

The program could be used as an honey pot,could be used to service DHCP request , DNS requests or phishing attacks.

To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
       dpkg -i ghost-phisher_1.3_all.deb

To get the source code for this project from SVN, here's the checkout link:
      svn checkout http://ghost-phisher.googlecode.com/svn/Ghost-Phisher

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Social Engineer Toolkit 3.3 Released

The Social Engineering Toolkit (SET) is an open source, python-driven, social-engineeringpenetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. SET leverages multiple attackvectors that take advantage of the human element of security in an effort to target attackers.

Official change log for Social Engineer Toolkit:

• Added new menu powershell attack vectors  will be used for powershell based attacks
• Added new payload powerdump to the powershell attack vectors
• Added new payload bind shell to the powershell attack vectors
• Added new payload powershell shellcode injection to the powershell attack vectors
• New core routine added for powershell_convert (powershell_command) which will do all the proper unicode + base64 encoding needed for powershell -EncodedCommand bypass
• New core routine added powershell_generate_payload(payload,ipaddr,port,powershell_command). This will create the necessary alphanumeric shellcode needed through metasploit in order to successfully create the powershell injection attack
• Added ms12-027 to the spear phishing attack vectors – MSCOMCTL ActiveX Buffer Overflow (from Metasploit)
• Added new payload reverse shell to powershell attack vectors
• Fixed a bug in Metasploit browser exploits where the numbers were off and would not properly parse the exploit (thanks for the report Dale Pearson)
• Added a pause when using the Apache menu so it doesn’t automatically exit
• Added a pause when something is on port 80 for credential harvester to display the error message
• Added a new phishing template provided by chap0, thanks for the contribution!
• Fixed a wording issue within Fast-Track exploit selection, it was asking for a nmap range, it should read which exploit do you want
• Added the Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit exploit by muts into Fast-Track
• Added the RDP use after free DoS into Social Engineer Toolkit in the Fast-Track custom exploits section
• Added new subroutine for powershell conversion
• Added automatic convert for powershell alphanumeric shellcode to automatically encode the commands
• Added the menu system for the new powershell menu
• Added ability to leverage msf payloads in the alphnaumeric shellcode
• Added metasploit listener option for the powershell attack
• Added a new native python socket listener for a standard reverse shell routine in setcore socket_listener(port)
• Added powershell bind shell into the new powershell interpreter attack vector
• Added new core routine for powershell alphanumeric injection and conversion with msfvenom
• Added functionality through powershell.py to dynamically generate payloads and inject through powershell
• Removed large portion of prep.py and centralized through setcore routines
• Added powershell powerdump to the attack vectors for powershell attacks
• Fixed a bug that would prompt twice for an IP address in the new powershell attack

Download Social Engineer Toolkit 3.3

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email